mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-24 15:09:39 -05:00
attestation: remove VerifyUserData
This commit is contained in:
parent
dd7d6334ba
commit
292f8eef21
@ -35,7 +35,6 @@ func NewValidator(pcrs measurements.M, log vtpm.AttestationLogger) *Validator {
|
||||
pcrs,
|
||||
getTrustedKey,
|
||||
v.tpmEnabled,
|
||||
vtpm.VerifyPKCS1v15,
|
||||
log,
|
||||
)
|
||||
v.getDescribeClient = getEC2Client
|
||||
|
@ -49,7 +49,6 @@ func NewValidator(pcrs measurements.M, idKeyDigests idkeydigest.IDKeyDigests, en
|
||||
pcrs,
|
||||
getTrustedKey(&azureInstanceInfo{}, idKeyDigests, enforceIDKeyDigest, log),
|
||||
validateCVM,
|
||||
vtpm.VerifyPKCS1v15,
|
||||
log,
|
||||
),
|
||||
}
|
||||
|
@ -41,7 +41,6 @@ func NewValidator(pcrs measurements.M, log vtpm.AttestationLogger) *Validator {
|
||||
pcrs,
|
||||
v.verifyAttestationKey,
|
||||
validateVM,
|
||||
vtpm.VerifyPKCS1v15,
|
||||
log,
|
||||
)
|
||||
return v
|
||||
|
@ -41,7 +41,6 @@ func NewValidator(pcrs measurements.M, log vtpm.AttestationLogger) *Validator {
|
||||
pcrs,
|
||||
trustedKeyFromGCEAPI(newInstanceClient),
|
||||
gceNonHostInfoEvent,
|
||||
vtpm.VerifyPKCS1v15,
|
||||
log,
|
||||
),
|
||||
}
|
||||
|
@ -28,7 +28,6 @@ func NewValidator(pcrs measurements.M, log vtpm.AttestationLogger) *Validator {
|
||||
pcrs,
|
||||
unconditionalTrust,
|
||||
func(attestation vtpm.AttestationDocument) error { return nil },
|
||||
vtpm.VerifyPKCS1v15,
|
||||
log,
|
||||
),
|
||||
}
|
||||
|
@ -9,10 +9,8 @@ package vtpm
|
||||
import (
|
||||
"bytes"
|
||||
"crypto"
|
||||
"crypto/rsa"
|
||||
"crypto/sha256"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
|
||||
@ -64,8 +62,6 @@ type (
|
||||
GetInstanceInfo func(tpm io.ReadWriteCloser) ([]byte, error)
|
||||
// ValidateCVM validates confidential computing capabilities of the instance issuing the attestation.
|
||||
ValidateCVM func(attestation AttestationDocument) error
|
||||
// VerifyUserData verifies signed user data.
|
||||
VerifyUserData func(pub crypto.PublicKey, hash crypto.Hash, hashed, sig []byte) error
|
||||
)
|
||||
|
||||
// AttestationLogger is a logger used to print warnings and infos during attestation validation.
|
||||
@ -138,27 +134,25 @@ func (i *Issuer) Issue(userData []byte, nonce []byte) ([]byte, error) {
|
||||
|
||||
// Validator handles validation of TPM based attestation.
|
||||
type Validator struct {
|
||||
expected measurements.M
|
||||
getTrustedKey GetTPMTrustedAttestationPublicKey
|
||||
validateCVM ValidateCVM
|
||||
verifyUserData VerifyUserData
|
||||
expected measurements.M
|
||||
getTrustedKey GetTPMTrustedAttestationPublicKey
|
||||
validateCVM ValidateCVM
|
||||
|
||||
log AttestationLogger
|
||||
}
|
||||
|
||||
// NewValidator returns a new Validator.
|
||||
func NewValidator(expected measurements.M, getTrustedKey GetTPMTrustedAttestationPublicKey,
|
||||
validateCVM ValidateCVM, verifyUserData VerifyUserData, log AttestationLogger,
|
||||
validateCVM ValidateCVM, log AttestationLogger,
|
||||
) *Validator {
|
||||
if log == nil {
|
||||
log = &nopAttestationLogger{}
|
||||
}
|
||||
return &Validator{
|
||||
expected: expected,
|
||||
getTrustedKey: getTrustedKey,
|
||||
validateCVM: validateCVM,
|
||||
verifyUserData: verifyUserData,
|
||||
log: log,
|
||||
expected: expected,
|
||||
getTrustedKey: getTrustedKey,
|
||||
validateCVM: validateCVM,
|
||||
log: log,
|
||||
}
|
||||
}
|
||||
|
||||
@ -236,15 +230,6 @@ func GetSHA256QuoteIndex(quotes []*tpmProto.Quote) (int, error) {
|
||||
return 0, fmt.Errorf("attestation did not include SHA256 hashed PCRs")
|
||||
}
|
||||
|
||||
// VerifyPKCS1v15 is a convenience function to call rsa.VerifyPKCS1v15.
|
||||
func VerifyPKCS1v15(pub crypto.PublicKey, hash crypto.Hash, hashed, sig []byte) error {
|
||||
key, ok := pub.(*rsa.PublicKey)
|
||||
if !ok {
|
||||
return errors.New("key is not an RSA public key")
|
||||
}
|
||||
return rsa.VerifyPKCS1v15(key, hash, hashed, sig)
|
||||
}
|
||||
|
||||
// GetSelectedMeasurements returns a map of Measurments for the PCRs in selection.
|
||||
func GetSelectedMeasurements(open TPMOpenFunc, selection tpm2.PCRSelection) (measurements.M, error) {
|
||||
tpm, err := open()
|
||||
|
@ -76,7 +76,7 @@ func TestValidate(t *testing.T) {
|
||||
defer tpmCloser.Close()
|
||||
|
||||
issuer := NewIssuer(tpmOpen, tpmclient.AttestationKeyRSA, fakeGetInstanceInfo)
|
||||
validator := NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, nil)
|
||||
validator := NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, nil)
|
||||
|
||||
nonce := []byte{1, 2, 3, 4}
|
||||
challenge := []byte("Constellation")
|
||||
@ -136,7 +136,6 @@ func TestValidate(t *testing.T) {
|
||||
expectedPCRs,
|
||||
fakeGetTrustedKey,
|
||||
fakeValidateCVM,
|
||||
VerifyPKCS1v15,
|
||||
warnLog,
|
||||
)
|
||||
out, err = warningValidator.Validate(attDocRaw, nonce)
|
||||
@ -151,18 +150,18 @@ func TestValidate(t *testing.T) {
|
||||
wantErr bool
|
||||
}{
|
||||
"valid": {
|
||||
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
|
||||
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, warnLog),
|
||||
attDoc: mustMarshalAttestation(attDoc, require),
|
||||
nonce: nonce,
|
||||
},
|
||||
"invalid nonce": {
|
||||
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
|
||||
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, warnLog),
|
||||
attDoc: mustMarshalAttestation(attDoc, require),
|
||||
nonce: []byte{4, 3, 2, 1},
|
||||
wantErr: true,
|
||||
},
|
||||
"invalid signature": {
|
||||
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
|
||||
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, warnLog),
|
||||
attDoc: mustMarshalAttestation(AttestationDocument{
|
||||
Attestation: attDoc.Attestation,
|
||||
InstanceInfo: attDoc.InstanceInfo,
|
||||
@ -177,7 +176,7 @@ func TestValidate(t *testing.T) {
|
||||
func(akPub, instanceInfo []byte) (crypto.PublicKey, error) {
|
||||
return nil, errors.New("untrusted")
|
||||
},
|
||||
fakeValidateCVM, VerifyPKCS1v15, warnLog),
|
||||
fakeValidateCVM, warnLog),
|
||||
attDoc: mustMarshalAttestation(attDoc, require),
|
||||
nonce: nonce,
|
||||
wantErr: true,
|
||||
@ -189,7 +188,7 @@ func TestValidate(t *testing.T) {
|
||||
func(attestation AttestationDocument) error {
|
||||
return errors.New("untrusted")
|
||||
},
|
||||
VerifyPKCS1v15, warnLog),
|
||||
warnLog),
|
||||
attDoc: mustMarshalAttestation(attDoc, require),
|
||||
nonce: nonce,
|
||||
wantErr: true,
|
||||
@ -204,13 +203,13 @@ func TestValidate(t *testing.T) {
|
||||
},
|
||||
fakeGetTrustedKey,
|
||||
fakeValidateCVM,
|
||||
VerifyPKCS1v15, warnLog),
|
||||
warnLog),
|
||||
attDoc: mustMarshalAttestation(attDoc, require),
|
||||
nonce: nonce,
|
||||
wantErr: true,
|
||||
},
|
||||
"no sha256 quote": {
|
||||
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
|
||||
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, warnLog),
|
||||
attDoc: mustMarshalAttestation(AttestationDocument{
|
||||
Attestation: &attest.Attestation{
|
||||
AkPub: attDoc.Attestation.AkPub,
|
||||
@ -227,7 +226,7 @@ func TestValidate(t *testing.T) {
|
||||
wantErr: true,
|
||||
},
|
||||
"invalid attestation document": {
|
||||
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
|
||||
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, warnLog),
|
||||
attDoc: []byte("invalid attestation"),
|
||||
nonce: nonce,
|
||||
wantErr: true,
|
||||
|
Loading…
Reference in New Issue
Block a user